Yet another Quadruple DNS?
michael at wi-fiber.io
Thu Mar 29 15:44:29 UTC 2018
Along these same lines, we have a service that captures all DNS requests
regardless the server(only non-TLS, albeit), that people pay $9.99/mo for,
so they definitely want this.. We just NAT all requests to Open DNS servers
to provide internet filtering as a service. It would be arbitrarily trivial
to run our own DNS service and reply to any unencrypted DNS request to any
DNS server with whatever A or AAAA record we want..
On 29 March 2018 at 09:29, Bill Woodcock <woody at pch.net> wrote:
> > \On Mar 29, 2018, at 7:27 AM, Brian Kantor <Brian at ampr.org> wrote:
> > On Thu, Mar 29, 2018 at 09:08:38AM -0500, Chris Adams wrote:
> >> I've never really understood this - if you don't trust your ISP's DNS,
> >> why would you trust them not to transparently intercept any well-known
> >> third-party DNS?
> > Of course they could. But it's testable; experiments show that they
> > aren't doing so currently.
> Experiments may show that in some tested cases they aren’t, but in the big
> picture, yes, there are ISPs who are internally capturing 22.214.171.124, and who
> try to do the same with 126.96.36.199. Which is why it’s so important to do
> cryptographic validation of the server and encryption of the transport, as
> well as DNSSEC validation.
More information about the NANOG